[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Jun 29 18:16:03 UTC 2017
The branch, master has been updated
via 6cddaa5 auth/spnego: do basic state_position checking in gensec_spnego_update_in()
via e9f1daa auth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()
via 91287ce auth/spnego: split out gensec_spnego_update_{client,server}() functions
via d6bb878 auth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()
via 5f4eed3 auth/spnego: add gensec_spnego_update_sub_abort() helper function
via 728a5c4 auth/spnego: remove useless spnego_state->sub_sec_ready check
via b75cc98 auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
via 7085d2b auth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready
via cd245e1 auth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()
via 6cdc7e2 auth/spnego: move some more logic to gensec_spnego_update_in()
via 2e0f749 auth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()
via a5fc791 auth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()
via edd8dab auth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()
via 9d74c41 auth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)
from c5a5989 ctdb-tests: Add transaction/recovery test for replicated database
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6cddaa577bf402eccac1bd1240c7cf83549564fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 14 03:29:58 2017 +0200
auth/spnego: do basic state_position checking in gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jun 29 20:15:05 CEST 2017 on sn-devel-144
commit e9f1daa6f43fcb2c6db35c66d786947cf2af9bc5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 23:41:01 2017 +0200
auth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 91287ce566c53aabb8b928827a4c7fd9b6465ee1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 06:56:47 2016 +0100
auth/spnego: split out gensec_spnego_update_{client,server}() functions
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6bb8785cdaddbad6483d7703ab7f0688faf1469
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 27 18:05:04 2017 +0200
auth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()
The only caller never passes NULL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5f4eed37ea7633ef2903fe8a9f90879cafa2615b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 10 14:44:48 2017 +0200
auth/spnego: add gensec_spnego_update_sub_abort() helper function
This helps to be consistent when destroying a unuseable sub context.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 728a5c44b45bee452a75b4b2f33f2817a55d7e1d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 09:06:33 2016 +0100
auth/spnego: remove useless spnego_state->sub_sec_ready check
The lines above make sure it's always true.
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b75cc98c18015848446c1e6d49db53ea8bf684f2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 09:04:47 2016 +0100
auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7085d2bf15e167c45ff081b36b5fb41689acb9ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 09:03:08 2016 +0100
auth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cd245e11632e34a64be859f7586baa8fc7c58791
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 22:43:59 2017 +0200
auth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6cdc7e2fc28c924230c59b4f67bd97472d1719eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 22:41:14 2017 +0200
auth/spnego: move some more logic to gensec_spnego_update_in()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2e0f749758d14a9be11a6b833a6e9c86bdada452
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 16:59:02 2017 +0200
auth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a5fc7914b5380392516365f3290651234ce462f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 14 08:43:13 2017 +0200
auth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()
Every fatal error should mark the spnego_state to reject any further update()
calls.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit edd8dabd9cb9f49b29b761ef1bf8f832a6a2b8a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 16:53:06 2017 +0200
auth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9d74c417de8b2eb7fc057face2982799d2804ea7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 16:36:23 2016 +0100
auth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 856 +++++++++++++++++++++++++++++----------------------
1 file changed, 481 insertions(+), 375 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 9495933..964f44f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -51,7 +51,7 @@ struct spnego_state {
enum spnego_message_type expected_packet;
enum spnego_state_position state_position;
struct gensec_security *sub_sec_security;
- bool no_response_expected;
+ bool sub_sec_ready;
const char *neg_oid;
@@ -77,6 +77,11 @@ struct spnego_state {
NTSTATUS out_status;
};
+static void gensec_spnego_update_sub_abort(struct spnego_state *spnego_state)
+{
+ spnego_state->sub_sec_ready = false;
+ TALLOC_FREE(spnego_state->sub_sec_security);
+}
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
@@ -90,8 +95,8 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_CLIENT_START;
spnego_state->sub_sec_security = NULL;
- spnego_state->no_response_expected = false;
- spnego_state->mech_types = data_blob(NULL, 0);
+ spnego_state->sub_sec_ready = false;
+ spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
@@ -114,8 +119,8 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->sub_sec_security = NULL;
- spnego_state->no_response_expected = false;
- spnego_state->mech_types = data_blob(NULL, 0);
+ spnego_state->sub_sec_ready = false;
+ spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
@@ -212,7 +217,6 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
{
int i;
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB null_data_blob = data_blob(NULL,0);
bool ok;
const struct gensec_security_ops_wrapper *all_sec
@@ -247,8 +251,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
all_sec[i].op);
if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
break;
}
@@ -271,14 +277,19 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
ev,
unwrapped_in,
unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
- /* Pretend we never started it (lets the first run find some incompatible demand) */
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
break;
}
@@ -312,8 +323,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
all_sec[i].op);
if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
continue;
}
@@ -323,8 +336,11 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx,
ev,
- null_data_blob,
+ data_blob_null,
unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
/* it is likely that a NULL input token will
* not be liked by most server mechs, but if
@@ -363,9 +379,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
principal,
next, nt_errstr(nt_status)));
- /* Pretend we never started it (lets the first run find some incompatible demand) */
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
continue;
}
}
@@ -383,7 +400,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
* time */
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
- *unwrapped_out = data_blob(NULL, 0);
+ *unwrapped_out = data_blob_null;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
@@ -392,13 +409,12 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
&& !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
/* We started the mech correctly, and the
* input from the other side was valid.
* Return the error (say bad password, invalid
* ticket) */
+ gensec_spnego_update_sub_abort(spnego_state);
return nt_status;
}
@@ -426,9 +442,8 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
{
int i;
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB null_data_blob = data_blob(NULL,0);
const char **mechTypes = NULL;
- DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+ DATA_BLOB unwrapped_out = data_blob_null;
const struct gensec_security_ops_wrapper *all_sec;
mechTypes = gensec_security_oids(gensec_security,
@@ -453,8 +468,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
all_sec[i].op);
if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+ gensec_spnego_update_sub_abort(spnego_state);
continue;
}
@@ -463,8 +477,11 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx,
ev,
- null_data_blob,
+ data_blob_null,
&unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
@@ -494,10 +511,11 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
spnego_state->sub_sec_security->ops->name,
principal,
next, nt_errstr(nt_status)));
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
- /* Pretend we never started it (lets the first run find some incompatible demand) */
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
continue;
}
}
@@ -517,14 +535,14 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
/* List the remaining mechs as options */
spnego_out.negTokenInit.mechTypes = send_mech_types;
- spnego_out.negTokenInit.reqFlags = null_data_blob;
+ spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_out.negTokenInit.mechListMIC
= data_blob_string_const(ADS_IGNORE_PRINCIPAL);
} else {
- spnego_out.negTokenInit.mechListMIC = null_data_blob;
+ spnego_out.negTokenInit.mechListMIC = data_blob_null;
}
spnego_out.negTokenInit.mechToken = unwrapped_out;
@@ -537,14 +555,9 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
/* set next state */
spnego_state->neg_oid = all_sec[i].oid;
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->no_response_expected = true;
- }
-
return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
+ }
+ gensec_spnego_update_sub_abort(spnego_state);
DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
return nt_status;
@@ -564,7 +577,6 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_st
DATA_BLOB *out)
{
struct spnego_data spnego_out;
- DATA_BLOB null_data_blob = data_blob(NULL, 0);
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
@@ -589,7 +601,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_st
spnego_state->state_position = SPNEGO_DONE;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+ spnego_out.negTokenTarg.mechListMIC = data_blob_null;
DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
spnego_state->state_position = SPNEGO_DONE;
}
@@ -605,92 +617,23 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_st
return nt_status;
}
-
-static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
- DATA_BLOB null_data_blob = data_blob(NULL, 0);
- DATA_BLOB mech_list_mic = data_blob(NULL, 0);
- DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+ DATA_BLOB mech_list_mic = data_blob_null;
+ DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
struct spnego_data spnego;
-
ssize_t len;
- *out = data_blob(NULL, 0);
-
- if (!out_mem_ctx) {
- out_mem_ctx = spnego_state;
- }
+ *out = data_blob_null;
/* and switch into the state machine */
switch (spnego_state->state_position) {
- case SPNEGO_FALLBACK:
- return gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev, in, out);
- case SPNEGO_SERVER_START:
- {
- NTSTATUS nt_status;
- if (in.length) {
-
- len = spnego_read_data(gensec_security, in, &spnego);
- if (len == -1) {
- return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
- ev, out_mem_ctx, in, out);
- }
- /* client sent NegTargetInit, we send NegTokenTarg */
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego.negTokenInit.mechTypes,
- spnego.negTokenInit.mechToken,
- &unwrapped_out);
-
- if (spnego_state->simulate_w2k) {
- /*
- * Windows 2000 returns the unwrapped token
- * also in the mech_list_mic field.
- *
- * In order to verify our client code,
- * we need a way to have a server with this
- * broken behaviour
- */
- mech_list_mic = unwrapped_out;
- }
-
- nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
-
- spnego_free_data(&spnego);
-
- return nt_status;
- } else {
- nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
- out_mem_ctx, ev, in, out);
- spnego_state->state_position = SPNEGO_SERVER_START;
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
- return nt_status;
- }
- }
-
case SPNEGO_CLIENT_START:
{
/* The server offers a list of mechanisms */
@@ -750,9 +693,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
spnego_out.negTokenInit.mechTypes = my_mechs;
- spnego_out.negTokenInit.reqFlags = null_data_blob;
+ spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
- spnego_out.negTokenInit.mechListMIC = null_data_blob;
+ spnego_out.negTokenInit.mechListMIC = data_blob_null;
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
@@ -772,144 +715,10 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->no_response_expected = true;
- }
-
spnego_free_data(&spnego);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
- case SPNEGO_SERVER_TARG:
- {
- NTSTATUS nt_status;
- bool have_sign = true;
- bool new_spnego = false;
-
- if (!in.length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- spnego_state->num_targs++;
-
- if (!spnego_state->sub_sec_security) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (spnego_state->needs_mic_check) {
- if (spnego.negTokenTarg.responseToken.length != 0) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- } else {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- }
- goto server_response;
- }
-
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto server_response;
- }
-
- have_sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (spnego_state->simulate_w2k) {
- have_sign = false;
- }
- new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_NEW_SPNEGO);
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
- new_spnego = true;
- }
-
- if (have_sign && new_spnego) {
- spnego_state->needs_mic_check = true;
- spnego_state->needs_mic_sign = true;
- }
-
- if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
-
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- }
-
- if (spnego_state->needs_mic_sign) {
- nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &mech_list_mic);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
- spnego_state->needs_mic_sign = false;
- }
-
- if (spnego_state->needs_mic_check) {
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- server_response:
- nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
- out_mem_ctx,
--
Samba Shared Repository
More information about the samba-cvs
mailing list